This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Shrew Soft IPSec VPN Client with Astaro V8.102

The Shrew VPN client sort of connects to my Astaro firewall at home in an Astaro IPSEC Roadwarrior configuration, but I'm still unable to ping or browse the remote network.

I used the configuration mentioned in this post for the Shrew Soft client.

https://community.sophos.com/products/unified-threat-management/astaroorg/f/58/t/53198

This is what I'm getting in the IPSec log of my firewall at home:

2011:05:05-10:07:54 as-01 pluto[18117]: packet from 173.221.113.250:500: received Vendor ID payload [XAUTH]
2011:05:05-10:07:54 as-01 pluto[18117]: packet from 173.221.113.250:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2011:05:05-10:07:54 as-01 pluto[18117]: packet from 173.221.113.250:500: ignoring Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
2011:05:05-10:07:54 as-01 pluto[18117]: packet from 173.221.113.250:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2011:05:05-10:07:54 as-01 pluto[18117]: packet from 173.221.113.250:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2011:05:05-10:07:54 as-01 pluto[18117]: packet from 173.221.113.250:500: received Vendor ID payload [RFC 3947]
2011:05:05-10:07:54 as-01 pluto[18117]: packet from 173.221.113.250:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2011:05:05-10:07:54 as-01 pluto[18117]: packet from 173.221.113.250:500: received Vendor ID payload [Dead Peer Detection]
2011:05:05-10:07:54 as-01 pluto[18117]: packet from 173.221.113.250:500: ignoring Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
2011:05:05-10:07:54 as-01 pluto[18117]: packet from 173.221.113.250:500: ignoring Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
2011:05:05-10:07:54 as-01 pluto[18117]: packet from 173.221.113.250:500: ignoring Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
2011:05:05-10:07:54 as-01 pluto[18117]: packet from 173.221.113.250:500: ignoring Vendor ID payload [Cisco-Unity]
2011:05:05-10:07:54 as-01 pluto[18117]: "D_IPSec VPN"[7] 173.221.113.250 #9: responding to Main Mode from unknown peer 173.221.113.250
2011:05:05-10:07:54 as-01 pluto[18117]: "D_IPSec VPN"[7] 173.221.113.250 #9: NAT-Traversal: Result using RFC 3947: peer is NATed
2011:05:05-10:07:54 as-01 pluto[18117]: "D_IPSec VPN"[7] 173.221.113.250 #9: Peer ID is ID_IPV4_ADDR: '192.168.0.112'
2011:05:05-10:07:54 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250 #9: deleting connection "D_IPSec VPN" instance with peer 173.221.113.250 {isakmp=#0/ipsec=#0}
2011:05:05-10:07:54 as-01 pluto[18117]: | NAT-T: new mapping 173.221.113.250:500/59393)
2011:05:05-10:07:54 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: sent MR3, ISAKMP SA established
2011:05:05-10:07:54 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: sending XAUTH request
2011:05:05-10:07:54 as-01 pluto[18117]: packet from 173.221.113.250:59393: Informational Exchange is for an unknown (expired?) SA
2011:05:05-10:07:54 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: parsing XAUTH reply
2011:05:05-10:07:54 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: extended authentication was successful
2011:05:05-10:07:54 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: sending XAUTH status
2011:05:05-10:07:54 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: parsing XAUTH ack
2011:05:05-10:07:54 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: received XAUTH ack, established
2011:05:05-10:08:02 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===174.48.3.61:4500[174.48.3.61]...173.221.113.250:59393[192.168.0.112]===10.33.33.100/32
2011:05:05-10:08:02 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: sending encrypted notification INVALID_ID_INFORMATION to 173.221.113.250:59393
2011:05:05-10:08:02 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===174.48.3.61:4500[174.48.3.61]...173.221.113.250:59393[192.168.0.112]===10.33.33.100/32
2011:05:05-10:08:02 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: sending encrypted notification INVALID_ID_INFORMATION to 173.221.113.250:59393
2011:05:05-10:08:07 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x657e098a (perhaps this is a duplicated packet)
2011:05:05-10:08:07 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: sending encrypted notification INVALID_MESSAGE_ID to 173.221.113.250:59393
2011:05:05-10:08:07 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x84a1f7a1 (perhaps this is a duplicated packet)
2011:05:05-10:08:07 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: sending encrypted notification INVALID_MESSAGE_ID to 173.221.113.250:59393
2011:05:05-10:08:12 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x657e098a (perhaps this is a duplicated packet)
2011:05:05-10:08:12 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: sending encrypted notification INVALID_MESSAGE_ID to 173.221.113.250:59393
2011:05:05-10:08:12 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x84a1f7a1 (perhaps this is a duplicated packet)
2011:05:05-10:08:12 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: sending encrypted notification INVALID_MESSAGE_ID to 173.221.113.250:59393
2011:05:05-10:08:17 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x657e098a (perhaps this is a duplicated packet)
2011:05:05-10:08:17 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: sending encrypted notification INVALID_MESSAGE_ID to 173.221.113.250:59393
2011:05:05-10:08:17 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x84a1f7a1 (perhaps this is a duplicated packet)
2011:05:05-10:08:17 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: sending encrypted notification INVALID_MESSAGE_ID to 173.221.113.250:59393
2011:05:05-10:08:19 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===174.48.3.61:4500[174.48.3.61]...173.221.113.250:59393[192.168.0.112]===10.33.33.100/32
2011:05:05-10:08:19 as-01 pluto[18117]: "D_IPSec VPN"[8] 173.221.113.250:59393 #9: sending encrypted notification INVALID_ID_INFORMATION to 173.221.113.250:59393

[:S] [:S] [:S] [:S]

Any help will be greatly appreciated,

Thanks.

This thread was automatically locked due to age.

0 LazLong over 13 years ago

What is the scope of the VPN Pool on the ASG side?

The scope of the IPSec Pool? 10.6.6.1 - 100 off the top of my head; it doesn't overlap with my internal net, which is 10.8.26.1 - 253.
Cancel
Vote Up 0 Vote Down

Cancel
0 LazLong over 13 years ago

I've not used it with 8.201, but it works fine with 7.511. I bet Scott's analysis is correct, and that 10.6.6.6 is in a subnet on your Astaro. However, if you're double-NATting the client (why else would you have a 10.8 address?), then all bets are off with IPsec.

Cheers - Bob

Damn. Yes, I am double NATing.
Cancel
Vote Up 0 Vote Down

Cancel